Bricked! Or, How to Resurrect a Dead Linksys WRT54G - Page 3

By Aaron Weiss

July 07, 2006

Seize The Moment With TFTP

You can use the TFTP  (Trivial File Transfer Protocol ) command-line utility to upload fresh firmware to the router in its brief moment of wakefulness. Windows, OS X and Linux all include TFTP clients.

First, you need a .bin file containing the known good firmware. You can visit the Linksys site as described above and download the .zip version of the firmware, which includes the .bin file. You can even use a .bin file for an open source firmware, so long as you choose one that's stable and tested and is the correct version for your router (or else you start this whole process all over again).

Windows users need some dexterity here. First, remove power from your router. Open two command prompt windows. In one, you will set up your TFTP command.

Type (but do not yet press enter):

tftp –i PUT firmwarefile.bin

In the second command prompt, enter:

ping –t

Run the ping command, which will begin probing and failing to reach the router. Now change window focus to your TFTP command.

Apply power to the router. Watch the ping window for a response, then hit enter in the TFTP window!

Miss by a beat and you’re too late – the pings will fail and your moment has passed. Cut power to the router and repeat the process. You need to start the TFTP the moment you see a successful ping.

For OS X and Linux users, the principle is the same, but the process is easier. First, remove power from your router. Open a terminal window and enter the commands:

rexmt 1
timeout 60
tftp> put firmwarefile.bin

Now apply power to your router. The tftp client will continuously retry uploading the firmware until the router responds. Hopefully, the router will briefly awaken, allowing the firmware upgrade to be sent. About two minutes later, the router will reset and become operational with the new firmware.

If your router simply refuses ever to respond to a ping at despite all these tricks, things are looking grim. You might want to start saving up $60 worth of router replacement kitty.

Short Circuits

You’re desperate. Nothing has worked, and your router is probably a doorstop. At this point, you might want to consider cracking the lid. This will certainly void your warranty, but then again, whatever bricked it this badly probably already did that.

There remains a small glimmer of hope. That glimmer is actually a spark, which, if you’re feeling brave, is what you may need to create.

Two invasive methods of short-circuiting your router have been reported successful. These techniques are controversial. Some in the router modifying community are opposed to even discussing these techniques. We’re not here to judge, nor do we endorse them. If you err even slightly, you’ll probably permanently destroy the router and possibly create a small fire hazard. Take precautions. Rubber-soled shoes and a fire extinguisher, minimum.

Unplug your router. Disassemble the case. On many models of WRT, the case is not held together with screws. You can press down on the top front to pop off the face. Manually untwist the two antennas. Press down on the bottom rear to pop off the backplane. You should be left with a tiny “I paid $60 for this?” circuit board attached to a plastic bottom panel. (Note that some router models do include a couple of screws which are accessible under the rubber feet.)

Look for the flash chip, which is typically marked “Intel” and is toward the front of the circuit board where the LEDs are. The pins on this chip are numbered at the corners – 1, 24, 25, and 48. Small white triangles mark every 5 pins.

Flash PinsThe two most successful “shortcuts” have been on routers of V4 or less, using one of two methods: short pins 15 and 16, or short pin 16 to earth via the left antenna input. [At least one reader wrote to tell us that on the WRT54GL v1.1, he had to use pins 16 and 17. Your mileage my vary, kids.]

A small jeweler’s screwdrivers or the tip of a multimeter can be used to short pins 15 and 16. First, apply power to the router and depress the reset button for 30 seconds. Cycle the power again. Short pins 15 and 16, and depress the reset button for another 30 seconds. Now try to ping the router. Many report success.

Alternatively, use a copper or other conductive wire to connect the block of the left antenna input (the one with the braided cable) to pin 16. Again, press the reset button for 30 seconds, press the wire to pin 16 and the antenna block, and press the reset button for another 30 seconds.

You may experience small sparks with these procedures. And you need steady, accurate fingers – the pins on the flash chip are very, very small.

If you miss the correct pins, you’ve probably just completed what is known as “the final nail in the coffin.”

Secrets of the JTAG, aka Time to Buy a New Router

If you research bricked routers at all, you’ll inevitably come across the so-called miracle cure known as the JTAG (short for Joint Test Action Group, which is all about testing circuits). With the JTAG, you can supposedly revive nearly any dead router, not to mention the fact that (apparently) it slices, dices, chops and purees.

However, the JTAG is complicated. You need to build or buy a special cable. It may involve soldering. It connects your PC’s parallel port to circuitry inside your router. It is a very slow communications channel and can take hours of time from beginning to end. And it still may not work, despite the claims.

The JTAG poses the question, how much of a hacker are you? If the idea of building your own cable and connecting it to the guts of the router sounds incredibly cool, then by all means follow this link to the Google search for  “hairydairymaid jtag” and follow the results. Otherwise, this may be the time to accept your loss and proceed through the stages of grief: anger, acceptance, and buying a new router.

